July 22, 2013

The United Nation's cybersecurity arm is planning to send out a multinational alert after a German research firm has discovered an encryption flaw that could compromise some types of mobile phones.

The flaw, discovered by experts at Security Research Labs (SRL) in Berlin, makes it possible for hackers to remotely gain control of and potentially clone millions of SIM cards, according to Jim Finkle of Reuters. The vulnerabilities could reportedly open up more than half a billion phones to hackers, he added.

"Through over-the-air (OTA) updates deployed via SMS, the cards are even extensible through custom Java software. While this extensibility is rarely used so far, its existence already poses a critical hacking risk," SRL officials explained in a blog entry. The programmable Java runtimes provided by these subscriber identification cards could make it possible for cybercriminals to crack them or deploy malware, they caution.

SRL founder and cryptographer Karsten Nohl, who discovered the flaw and will present his findings at the Black Hat computer security conference on July 31, told Forbes staff writer Parmy Olson the two-part vulnerability is based on an outdated security standard and poorly configured code that allows hackers to remotely infect SIM cards with viruses.

Those malware programs could send premium text messages, thus adding charges to a phone bill or draining valuable minutes, or re-direct and record calls. The vulnerability could even be used to carry out payment system fraud in places like Africa, where SIM-card based payments are commonly used. The discovery of the flaws could further hamper the deployment of NFC payment technology, according to Olson.

The encryption flaw allowed outsiders to obtain the SIM card's 56-digit digital key, which allows them to then modify the chip remotely, Nohl told the New York Times. That digital key was all Nohl needed in order to text malware to the SIM card, eavesdrop on calls, make purchases through mobile payment systems, and even impersonate the owner of the phone.

The entire procedure reportedly took the cryptologist about two minutes and only required a regular personal computer. "We can remotely install software on a handset that operates completely independently from your phone," he said. "We can spy on you. We know your encryption keys for calls. We can read your SMS's. More than just spying, we can steal data from the SIM card, your mobile identity, and charge to your account."

Nohl's firm advocates three possible levels to help defend against the possibility of remote SIM card exploitation. Their first recommendation is the development of better SIM cards that utilize state-of-the-art cryptography, longer keys, and more secure Java virtual machines. Their second is an SMS firewall on the phone, itself, capable of deciding which text messages to trust and which ones to block. And their third is in-network filtering of messages.

In response to SRL's discovery, the UN's International Telecommunications Union is planning to issue an advisory to nearly 200 different countries warning them about the potential threat to mobile phone technology, Finke said.

The ITU called the findings "hugely significant" and also said they were planning to contact mobile companies and industry experts regarding the research. Conversely, American mobile technology trade group CTIA told Reuters they believed the finding posed no immediate threat.

Apple, developers of the iPhone, and Google, who developed the Android mobile operating system, had no comment, Finkle said. Blackberry security officials released a statement which said the company had proposed new SIM card standards in 2012 to protect against these types of attacks, and that the new standards has been adopted by the GSMA mobile operator and retail association.